Login Shop

Calterah Cybersecurity White Paper II: Calterah Cybersecurity Management System

2024-09-13

As the second white paper of the Calterah Cybersecurity White Paper series, this article delves into the Cybersecurity Management System (CSMS) of Calterah, covering various aspects including cybersecurity management and cybersecurity activities. Calterah’s CSMS takes into account the entire lifecycle of its mmWave radar chip products, effectively safeguarding product cybersecurity.

With more electronic control units, connected vehicles provide ultimate convenience, integrating safety and entertainment functions. But with more electronic components installed, vehicles are more liable to hacking. It is necessary to take sufficient cybersecurity measures in vehicle designs to safeguard against cyberattacks. Calterah has taken proactive approaches and stayed committed to automotive cybersecurity, with ISO/SAE 21434:2021 certified cybersecurity policies and processes established. Calterah is developing a radar solution project according to a combination of ISO/SAE 21434 and ASPICE requirements to minimize product cybersecurity risks and increase product quality.

In June 2022, Calterah began its efforts to meet ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering for its automotive SoC and solution development. In June 2023, Calterah attained the ISO/SAE 21434:2021 certification issued by TÜV Rheinland, making it a pioneer amongst China’s semiconductor suppliers. This achievement demonstrates Calterah’s essential capabilities in cybersecurity development and management, which have received global recognition. Calterah invites a third party to review the processes annually, ensuring their compliance and implementation in projects.

Figure 1 Calterah Automotive Cybersecurity Management Certificate

 

Based on existing policies and processes, Calterah has developed its CSMS by establishing its cybersecurity policy and a full set of processes, guidelines, and templates to meet the requirements of ISO/SAE 21434:2021. The CSMS of Calterah covers the following aspects:
1.  Organizational cybersecurity management
2.  Project cybersecurity management
3.  Distributed cybersecurity activities
4.  Continuous cybersecurity activities
5.  Concept development
6.  Product development
7.  Post-development phases
8.  Threat analysis and risk assessment (TARA)

Figure 2 Cybersecurity Management System

 

1.  Organizational Cybersecurity Management

Cybersecurity management has been incorporated in the organizational structure of Calterah.

The organizational cybersecurity management includes:

  • Overseeing cybersecurity management within Calterah
  • Maintaining cybersecurity culture
  • Overseeing cybersecurity-related work products
  • Establishing cybersecurity processes in accordance with ISO/SAE 21434:2021

Calterah conducts annual organizational audits to ensure compliance with the CSMS and provides regular cybersecurity training to increase the cybersecurity awareness of employees.

 

2.  Project Cybersecurity Management

The product cybersecurity development processes are integrated into Calterah’s product development framework, which is based on the V-Model. In a project, Calterah drafts a cybersecurity plan and makes corresponding tailoring for all cybersecurity-related activities and work products. Calterah also establishes a cybersecurity case to verify the completion status of all work products and conducts a cybersecurity assessment to evaluate product compliance with cybersecurity requirements.

 

3.  Distributed Cybersecurity Activities

Calterah has established processes for supplier selection and management to minimize cybersecurity risks introduced by suppliers, specifying distributed cybersecurity activities in cybersecurity interface agreements (CIAs) with suppliers. Calterah evaluates suppliers before selection and conducts periodic supplier audits thereafter to ensure product cybersecurity.

 

4.  Continuous Cybersecurity Activities

Calterah conducts cybersecurity activities throughout the entire product lifecycle.

Continuous cybersecurity monitoring is conducted by periodically searching for product-related cybersecurity keywords. If a potential security event is found, Calterah will promptly evaluate the cybersecurity event.

Vulnerability analysis is performed based on sources like public cybersecurity websites, previous TARAs on products, and reports from FAEs to evaluate product security against known vulnerabilities.

Calterah has established a cybersecurity incident response process. In the event of cybersecurity incidents, actions will be taken in a swift and efficient manner to remediate possible cybersecurity risks. The Calterah Product Security Incident Response Team (PSIRT) is also formed to receive and respond to potential security vulnerability reports.

Figure 3 Calterah Cybersecurity Incident Response Process

 

5.  Concept Development

During the Safety Element out of Context (SEooC) analysis, Calterah defines road vehicle application scenarios based on assumptions to establish a baseline for cybersecurity analysis. It then identifies cybersecurity-related assets in application scenarios, which are inputs for TARA. Calterah then conducts TARA to generate cybersecurity goals and claims. In this phase, cybersecurity concepts are also defined.

Figure 4 Calterah Cybersecurity Concept Development

 

6.  Product Development

During product development, cybersecurity requirements are defined and a product is designed and tested. Developers derive system requirements from cybersecurity goals and the assumed customer requirements. Software and hardware requirements are derived from system requirements for specific designs. Software and hardware developers design and test products according to the assigned requirements. Testing and verification are conducted to ensure satisfaction of the requirements. Calterah also defines cybersecurity requirements for post-development to help customers implement cybersecurity controls.

Figure 5 Calterah Cybersecurity in Product Development Phase

 

7.  Post-Development Phase

To guarantee cybersecurity in the post-development of products, Calterah takes the following measures:

  • Creating a cybersecurity incident response process to provide cybersecurity support, which may be required by subsequent production
  • Timely upgrades of software to ensure cybersecurity
  • Establishing a cybersecurity production process and an end of cybersecurity support process

 

8.  Threat Analysis and Risk Assessment

TARA is conducted to assess risks faced by road users. Cybersecurity-related assets are identified in the SEooC analysis as inputs for TARA.

TARA analysis starts by identifying the cybersecurity attributes of cybersecurity assets (e.g. confidentiality, availability, authenticity, integrity, authorization, and non-repudiation) and the damage scenarios corresponding to each attribute, and then evaluates the impact level corresponding to each damage scenario by analyzing its safety, financial, operational, and privacy impacts. Subsequently, threat scenarios corresponding to damage scenarios are obtained according to the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) methodology. Using a top-down analysis approach, potential attack paths for the threat scenarios can be identified, and the attack feasibility and the threat level of each attack path can be determined by analyzing the attack potential.

Finally, an overall risk level and a risk mitigation measure are determined based on the impact level and threat level of each attack path.

Additionally, by analyzing the maximum impact level and attack vector, the Cybersecurity Assurance Level (CAL) can be determined, and it defines specific requirements of testing methods for each cybersecurity goal.

 

Figure 6 Calterah Threat Analysis and Risk Assessment 

Calterah handles risks based on the risk levels in the following ways: 

  • For an attack path with critical or high risk, Calterah will reduce or avoid the risk, and share relevant information with customers.
  • For a risk that is out of Calterah’s scope, Calterah will promptly inform customers through a cybersecurity manual and a TARA report.

In the automotive supply chain, every link starting from semiconductors faces cybersecurity challenges. With the cybersecurity management system and cybersecurity implementation in projects, Calterah ensures the cybersecurity of its SoC products, providing a solid foundation for overall vehicle cybersecurity.